PKI: Public Key Infrastructure – The Bane of Many Systems Administrators

No

James Carrion

Thu, 2012-10-11 15:00

There are two kinds of system administrators in this world – those who love PKI and those that hate it. Why does one technical subject have more than its fair share of lovers and haters? Maybe it has to do with how incredibly left-brained based PKI is in the realm of math and logic. I don’t know about you but although I can dance circles around computer technical subjects, I could not stomach the math requirements of a computer science degree and elected for the liberal arts instead.

In reality, PKI is no more rocket science than any other computer skill you have mastered - it just takes a little bit of understanding before it eventually starts to grow on you.

Math It Is Then

Well, let’s start out with pure basics here. PKI is based on Public-Private key pairs - meaning there are two keys, the Public Key that can be shared with the world, and the Private Key that should be shared with no one.

The Private Key is itself a pair of randomly selected prime numbers. If you don’t remember your high school math, a prime number is a number that can only be divided by the number one and itself - for example the number 3 and the number 5. The Public key is the product of these two secret prime numbers. So if the Private Key’s prime numbers were 3 and 5, the Public key would be 15 (3 X 5). See what I meant about the Math?

Now keep in mind that each of the Private Key’s prime numbers is very long so that if anyone tried to factor from the Public Key which two prime numbers were multiplied to come up with that Public Key, it becomes an impossible task because of the infinite number of possible primes to choose from. In fact, your great-great-great-great- great-great-great-great grandchildren would be long dead before the two prime numbers could even be close to be found with a brute force effort using today’s computing power. Maybe the computers of that future generation will be able to handle the task much easier and then PKI as a security algorithm will have to be rethought but for now it is secure enough that the planet’s entire E-commerce depends on it.

How does PKI Perform Its Magic?

A Public-Private Key pair is just like a congenial married couple that cooperatively work on household tasks like cleaning the house where he agrees to scrub toilets while she agrees to wash the dishes or yard work where she mows while he bags leaves. What one partner does, the other partner cooperatively complements. PKI works the same way with the cooperative tasks broken down into just two basic operations: Data Encryption and Data Signing.

Data Encryption

PKI handles data encryption cooperatively by using a Public Key to encrypt data and the corresponding Private Key used to decrypt that same data. Encryption is necessary when you only want an intended recipient to be able to read the data, protecting it from other parties who are snooping around. In other words, Data Encryption ensures Data Confidentiality.

Data Signing

The same holds true for signing, except in this operation the signature is created with a Private Key and the corresponding Public Key is used to verify that the signature is valid. Signing data offers two benefits; if the recipient can validate the signature, they are assured that the data has not been modified since the signature was made (data integrity) and at the same time they are also able to verify who sent the data (data origination).

So let me illustrate for you how these two basic PKI operations of encrypting and signing can be used for securing email messages, although the same holds true for any data. First I would need a Public-Private Key pair in the form of a digital ID from any number of Public Certification Authorities (CAs). If you are on the cheap and don’t want to purchase one, you can request a free Digital ID from Comodo at http://www.comodo.com/.

If you already have a Digital ID, you could import it in or you could request one online by choosing the ‘Get Digital ID’ option. Notice that you can select the options to automatically have Outlook ‘encrypt contents and attachments for outgoing messages‘, and ‘add digital signature to outgoing messages’.

For example, here are two trial certificates (digital IDs) and have chosen the Comodo one in Outlook 2010 for encrypting/signing email messages. Note that in ‘Change Security Settings’ dialog there is an option to automatically ‘Send these Certificates with Signed Messages’. Why? If I sign my email with the Private Key, then the recipient needs my Public Key to verify the signature. My Public Key is embedded in the certificate and by attaching the certificate to the email, the recipient can readily use my Public Key to verify the digital signature.

Now that my Digital ID is installed, I can now sign email. However, I can’t yet encrypt email because the originator’s Public Key is not used for encryption but instead the recipient’s Public Key. So if I wanted to send an encrypted email to my brother, I would first need to get a copy of his digital ID (certificate) and use his embedded Public Key to encrypt the message, confident that he would be the only one to decrypt the message as he is the only one who has access to the corresponding Private Key. If you can remember this simple rule: Sign with MY Private, Encrypt with YOUR Public, you will never forget which and whose key is used for an encryption/signing operation.

Also keep in mind that digitally signing an email has nothing to do with the normal ‘signature’ that Outlook can insert at the end of an email message with your contact information.

After sending myself an email from my Exchange account to another Exchange account with the auto-digital-signature option I mentioned earlier enabled, I can see on the right side of the received email header a ‘ribbon prize’ icon that indicates the message has been secured. When I click on this icon, the following dialog box shows up indicating that the signature is valid and trusted. This tells me two things, the person whose Digital ID was used to sign is indeed the person who sent it and that person’s email message body has not been altered – thereby providing Data Origination and Data Integrity.

Here’s another test email, except this one is meant to be encrypted so only Sue can read it.

When I try to send the email, I get this warning message:

Why did I get this error? Remember the rule of thumb, Sign with MY Private Key, Encrypt with YOUR Public Key. Will in this example the ‘YOUR Public Key’ means Sue’s Public Key, so I would first have to ask Sue to send me her Digital ID which contains her embedded Public Key, so I can use it to encrypt the email I am trying to send to her.

Summary

PKI is not rocket science but it is math although you don’t need to take pre-calculus to understand it. The PKI operations boil down to two basic operations – encrypting data to ensure only the intended recipient can decrypt it and signing data so that the intended recipient can verify who the data came from and that the data has not been modified since the signature was made.

The cool thing about PKI is that once you understand these basics tenets of encryption and signing, the same rules hold true whether the data you are protecting is email, a file on a disk, or packets going across the network.

In Part 2 of this article I will explain what the role of the Certification Authority is in the PKI process and how your computer knows when a Digital Certificate is valid or not.